Hey @DavidHourani
Perfect
i have a column that i see today or not today
but how does it knows to check if the serial number is new and not the event ? because it is possible to have new event for existing serial number
i see that not all the rows in the table contains value in the "color" column

also, how can i color what we see with today ?

i know there is something _indextime
i though maybe it is possible to check if SerialNumber _indextime exist today but wasn't yesterday
but im not sure how to do it or if it even possible

well you do have today and not today now, so you can follow that up with some magic and it'll give you values from today only :

 ...| eval Begining_Of_Day=relative_time(now(), "@d") 
 | eval Events_Condition=_time-Begining_Of_Day 
 | eval Color=if(Events_Condition>0, "Today","Not Today") 
 |stats values(Color) as Color by SerialNumber
 | search Color!="Not Today"

@DavidHourani but i want to see all the values, only color in different color those from today
and also, i want to check if SerialNumber field is from today and wasn't yesterday
because it is possible that i will have new events today from SerialNumber that i had also yesterday

And do you want to color those as well or not ? if a value was seen yesterday and today should it be colored ? With the search above it does get colored and simply by removing | search Color!="Not Today" you will be able to tell which events are from today only and which are from both today and before 🙂

@DavidHourani I want to color only those from today that wasnt yesterday
But i want to be clear, im not looking for events from today, im looking for specific field from today
SerialNumber is a field in my table and i want to color line when the SerialNumber seen today and not yesterday (or any day befor)
Im getting new events everyday but they are from SerialNumbers i already had
Does this search looking for SerialNumber or just all the events?
Hope it was explained better

is this solution color the column only if there are new Serial Numbers ?

This will give each unique Serial Number a unique color code. If the same value repeats it will re-use previous same color assigned.

so this is not the solution im looking for
let me try to explain it better

let say i have a table with few serial numbers:
1234
5678
9622
7854

all of them will appear in white
tomorrow when the dashboard will run again, we will get new serial number : 56487
i want this one to be colored

@sarit_s I am sorry I still do not get what you want. Do you mean to say when you run the search which returns result 56487 the values 1234, 5678 etc will not be there?

Can you add the screenshot of what kind of output you need? You can send dummy screenshot as well. Also please add your current Splunk search that you are running every day.

hi
i cannot upload screenshots since i don't have enough points 🙂

i will try to explain without it

i want all the serial numbers to stay in the dashboard but if today 56487 is new serial number i want to color its line
tomorrow it won't be new anymore so it will return to be white

@sarit_s Maybe upload your image to https://imgur.com/ or something similar and include the URL in your response.

link text

in the image i uploaded you can see two lines with two different serial numbers.
the first line is colored because today this serial number is new
tomorrow this line won't be colored anymore

so what i want is to color the line with today's new serial number and show it first

@sarit_s you did not paste the link to image!

What is the current query? Leave coloring aside have you figured out how to identify new serial number that have not shownup until the day you run query? Are you maintaining a list of existing serial numbers as lookup or kvstore or any other mechanism?

i have no idea how to do it..
how can i check what is the first time it was indexed in splunk ?

any idea ?

Hey
thanks for your reply
i have 30 days in this dashboard